lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 14 Jan 2013 11:05:54 +0100
From: Jan Lehnardt <>
To: "" <>,
	"" <>,
	"" <>,,
Subject: CVE-2012-5650 Apache CouchDB DOM based Cross-Site
	Scripting via Futon UI


DOM based Cross-Site Scripting via Futon UI

Affected Versions:
Apache CouchDB releases up to and including 1.0.3, 1.1.1, and 1.2.0 
are vulnerable.

Query parameters passed into the browser-based test suite are not sanitised,
and can be used to load external resources. An attacker may execute JavaScript
code in the browser, using the context of the remote user.

Upgrade to a supported release that includes this fix, such as Apache
CouchDB 1.0.4, 1.1.2, 1.2.1, and the future 1.3.x series, all of which
include a specific fix.

Disable the Futon user interface completely, by adapting `local.ini` and
restarting CouchDB:

    _utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Forbidden">>}

Or by removing the UI test suite components:


This vulnerability was discovered & reported to the Apache Software Foundation
by Frederik Braun

Jan Lehnardt

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists